topic Only with AnyConnect. There I in Network Security

Integration of Cisco VPN with OTP system (One Time Password)

Farooq Razzaque — Tue, 12 Mar 2019 05:11:34 GMT

Dear

I have a requirement to integrate the Cisco VPN (Cisco VPN Client for Remote Access IPSec VPNs etc.) with OTP system (One Time Password).

Anyone have any idea how to achieve this.

Do you really want to migrate

Karsten Iwen — Sun, 07 Dec 2014 08:16:04 GMT

Do you really want to migrate to OTP with the old VPN client that's not supported any more? I would recommend to migrate to AnyConnect with OTP. For that, my favorite System is Duosecurity, but there are many more on the market.

Hi KarstenThanks for the

Farooq Razzaque — Sun, 07 Dec 2014 11:44:06 GMT

Hi Karsten

Thanks for the reply.

I already have OTP system deployed in my network. And i already have remote access VPN configured on the ASA which is currently integrated with RSA (two factor authentication), now i have a requirement to integrate few selected users (i think these users can be created locally on the OTP system) which are using Remote access VPN to integrate with currently deployed OTP system. I want to know what configuration needs to be done on the ASA.

Dear KarstenAppreciate if you

Farooq Razzaque — Mon, 08 Dec 2014 09:00:22 GMT

Dear Karsten

Appreciate if you spare sometime to reply the previous mail.

Anyone else have any experience on this . Please share.

Appreciate if someone from cisco can also respond.

I've never integrated OTP to

Karsten Iwen — Mon, 08 Dec 2014 09:11:44 GMT

I've never integrated OTP to the old IPSec client (and I also don't like RSA ... 😉 ). So I can't help any further with that.

Dear KarstenOk. To which

Farooq Razzaque — Mon, 08 Dec 2014 09:23:51 GMT

Dear Karsten

Ok. To which IPSEC you integrated OTP.

Only with AnyConnect. There I

Karsten Iwen — Mon, 08 Dec 2014 09:39:17 GMT

Only with AnyConnect. There I used Duosecurity and some time ago also Youbikeys. Both worked fine.

Are Duosecurity and Youbikeys

Farooq Razzaque — Mon, 08 Dec 2014 09:55:16 GMT

Are Duosecurity and Youbikeys the OTP system ?

Can you share me the config you done on the ASA to integrate anyconnect with Duosecurity and Youbikeys

Duosecurity.com is an OTP

Karsten Iwen — Mon, 08 Dec 2014 10:11:47 GMT

Duosecurity.com is an OTP-provider, they operate the OTP-servers. Here are guides how to integrate it with SSL-VPN and the legacy IPsec-Client:

https://www.duosecurity.com/docs/cisco

https://www.duosecurity.com/docs/cisco-ipsec

Youbico had an OTP-server that is not maintained any more. Now they are producing the keys ("token") and use other OTP servers:

https://www.yubico.com/products/services-software/yubiradius/technical-description/

Dear KarstenThanks for your

Farooq Razzaque — Mon, 08 Dec 2014 15:07:31 GMT

Dear Karsten

Thanks for your response.

Anyone else have any experience on this . Please share.

Appreciate if someone from cisco can also respond.

Dear KarstenAfter the

Farooq Razzaque — Tue, 09 Dec 2014 19:18:43 GMT

Dear Karsten

After the integration of Remote Access VPN client/SSL VPN/Anyconnect with OTP, Is it possible that VPN client will first only prompt username and password fild will be grayed out or remain blank or not not shown and when i click ok after putting username then it will prompt for OTP password.

My OTP server supports http protocol. Is it possible to integrate remote access VPN client with OTP server using http protocol

Dear VibhorAppreciate if you

Farooq Razzaque — Wed, 10 Dec 2014 08:01:52 GMT

Dear Karsten

Appreciate if you could spare some time to respond on the requested query

I don't think that this will

Karsten Iwen — Wed, 10 Dec 2014 09:57:07 GMT

I don't think that this will be possible. To make it easy for the user I prefer the way that the user only sees his username and the two password-fields. For the OTP, at least LDAP and RADIUS or the native RSA-protocol can be used. Have not seen HTTP on the list of supported protocols. Perhaps there are some integration-documents from your OTP-vendor how to connect from the ASA?

Dear KarstenThanks for the

Farooq Razzaque — Wed, 10 Dec 2014 11:28:38 GMT

Dear Karsten

Thanks for the reply.

U mentioned two password filed. why two password fields are required. Can i only integrate with OTP without LDP, Radius etc

Please see below the AAA server types supported. I have mentioned all types below.

In that list Following HTTP forms is also supported. Any idea what this HTTP form is , if my OTP support HTTP protocol then can i use HTTP forms protocol to integrate with my OTP

SSO Support for Clientless SSL VPN with HTTP Forms

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/aaa.html#wp1084774

AAAA Server and Local Database Support

The security appliance supports a variety of AAA server types and a local database that is stored on the security appliance. This section describes support for each AAA server type and the local database.

This section contains the following topics:

•Summary of Support

•RADIUS Server Support

•TACACS+ Server Support

•RSA/SDI Server Support

•NT Server Support

•Kerberos Server Support

•LDAP Server Support

•SSO Support for Clientless SSL VPN with HTTP Forms

•Local Database Support

That's only for clientless,

Karsten Iwen — Wed, 10 Dec 2014 11:37:56 GMT

That's only for clientless, not for client-based VPNs.

Yes. So for clientless VPN,

Farooq Razzaque — Wed, 10 Dec 2014 11:45:04 GMT

Yes. So for clientless VPN, can we use HTTP form protocol to integrate with OTP which support Http.

What exactly this HTTP form is ? it is mentioning 'SSO support for clientless SSL VPN with HTTP forms.'

http://www.cisco.com/c/en/us

Karsten Iwen — Wed, 10 Dec 2014 12:04:12 GMT

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/webvpn-configure-users.html#pgfId-2905136

For clientless VPN, can we

Farooq Razzaque — Wed, 10 Dec 2014 12:14:45 GMT

For clientless VPN, can we use HTTP form protocol to integrate with OTP which support Http.

Dear KarstenCan you please

Farooq Razzaque — Wed, 17 Dec 2014 10:54:19 GMT

Dear Karsten

Can you please reply on the following

"U mentioned two password filed. why two password fields are required. Can i only integrate with OTP without LDP, Radius etc"

Thats the way I like to

Karsten Iwen — Wed, 17 Dec 2014 11:17:50 GMT

Thats the way I like to implement it. The first password is for checking the user agains AD, the second is for the OTP. You can probably configure it to only check against OTP, but thats nothing I have done. Probably it's best that you just try it.